🟡 Medium   ⏱ 5–30 min  Last verified: 01 April 2027
Affected versions: Windows Server 2012 R2

📖 ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

After changing app pool identities or host headers, IIS on Windows Server 2012 R2 returns 401 Negotiate or falls back to NTLM, breaking Kerberos SSO to internal web apps.

Environment & Reproduction

Reproducible by browsing the site as a domain user using FQDN.

Get-WebConfiguration 'system.webServer/security/authentication/windowsAuthentication' /Site/IISApp
Get-WebAppPoolState
Import-Module WebAdministration

Root Cause Analysis

Missing SPN on the pool identity, kernel-mode auth conflict, or wrong useAppPoolCredentials setting causes Negotiate to fail.

Quick Triage

Capture failed request info.

Get-WebConfigurationProperty -Filter 'system.webServer/security/authentication/windowsAuthentication' -PSPath 'IIS:SitesIISApp' -Name useAppPoolCredentials
Get-WinEvent -LogName Security -FilterXPath "*[System[(EventID=4625)]]" -MaxEvents 20

Step-by-Step Diagnosis

Validate SPNs and pool identity.

setspn -L CORPsvc-iis
setspn -Q HTTP/app.corp.local
Get-WebAppPoolState -Name IISApp

Solution – Primary Fix

Register correct SPNs and enable useAppPoolCredentials.

Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.

setspn -S HTTP/app.corp.local CORPsvc-iis
Set-WebConfigurationProperty -Filter 'system.webServer/security/authentication/windowsAuthentication' -PSPath 'IIS:SitesIISApp' -Name useAppPoolCredentials -Value True
iisreset

Solution – Alternative Approaches

Disable kernel-mode auth when SPN is on the pool identity and not the machine.

Set-WebConfigurationProperty -Filter 'system.webServer/security/authentication/windowsAuthentication' -PSPath 'IIS:SitesIISApp' -Name useKernelMode -Value False

Verification & Acceptance Criteria

Site returns 200 OK and klist shows Kerberos ticket for the HTTP service.

klist get HTTP/app.corp.local
Invoke-WebRequest http://app.corp.local -UseDefaultCredentials | Select StatusCode

Rollback Plan

Restore previous SPN and auth settings if downstream apps regress.

Set-WebConfigurationProperty -Filter 'system.webServer/security/authentication/windowsAuthentication' -PSPath 'IIS:SitesIISApp' -Name useAppPoolCredentials -Value False

Prevention & Hardening

Use gMSA for app pools, document SPN ownership, and monitor 4625 in security logs.

Install-ADServiceAccount svc-iis
Get-WebAppPool | Select Name,ProcessModel | Format-List

Linked with Kerberos SPN duplication and NTLM fallback issues.

Related tutorial: View the step-by-step tutorial for Windows Server 2012 R2.

View all Windows Server 2012 R2 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: IIS Windows Authentication and Kerberos configuration.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.